Provision users from Okta using SCIM

Use the SCIM protocol to import user's digital identities from Okta (the source system) to EAA​.

Prerequisites:Sign in to your Okta account.

This integration supports endpoints compatible with the SCIM 2.0 specification.

STEP 1: Create a new SCIM directory of type Okta in EAA

How to

  1. In the EAA Management portal, go to Identity > Directories.
  2. Select Add New Directory (+).
  3. Enter name and description for directory.
  4. In Directory Type select SCIM. In SCIM Schema select Okta.
  5. Select Create Directory and Configure.
  6. Copy the SCIM base URL and save it for Okta SCIM provisioning in STEP 4.
  7. In the SCIM provisioning select Generate new Provisioning key.
  8. In the Generate provisioning key enter a name and description, and select Create Provisioning key.
  9. Copy the Provisioning key by clicking on the copy to clipboard icon. Save it for Okta SCIM provisioning in STEP 4.
  10. In the Login preference Attributes select either User principal name (default) or Email to choose for a user a way to log in.
  11. Select Save Directory. The new SCIM directory card a appears in Identity > Directories.

STEP 2: Add user and group accounts in Okta

How to

  1. Sign in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.
  2. To add an individual user account, go toDirectory > People.
  3. Select Add Person and enter this data in the Add Person dialog:
    1. In User type, select User.
    2. Enter the user’s data.
    3. Select Add User.
  4. To add a group account, go to Directory > Groups.
  5. Click Add Group and enter this data in the Add Group dialog:
    1. Enter the group’s name and description.
    2. Select Add Group.

STEP 3: Create SCIM application in Okta

How to

  1. Sign in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.
  2. Go to Applications > Applications.
  3. Select Browse App Catalog.
  4. In the Browse App Integration Catalog search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).
  5. To create a SCIM-type app, in the SCIM 2.0 Test App (Header Auth) select Add.
  6. In Add SCIM 2.0 Test App (Header Auth) > General Settings define the name and the accessibility of your SCIM application:
    1. In the Application label, enter the application name.
    2. Accept default settings by clicking Next.
  7. In the Sign-On Options you can define the way users log in to your integration. Select Secure Web Authentication, and next select Done to accept default settings.
    Your SCIM application created in the Okta Admin portal is now ready.

STEP 4: Configure provisioning in Okta

Follow these steps to enable the communication between ​EAA​ and Okta by providing your authentication properties.

How to

  1. Sign in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.
  2. Go to Applications > Applications.
  3. In the Applications search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).
  4. Go to Provisioning and select Configure API Integration.
  5. In the Provisioning select Enable API Integration.
  6. Use the values you saved in STEP1:
    1. Paste your SCIM base URL into Base URL.
    2. Paste your Provisioning key into API Token.
  7. SelectTest API Credentials to verify your credentials.
  8. When you receive a confirmation, select Save.
    Your EAA and Okta are now connected via SCIM protocol. In the Provisioning you can you configure the following settings:
    • To App. Here you can configure data that flows to the ​EAA​ service from Okta user profiles and through the integration.
    • To Okta. Here you can configure data that flows to Okta from the ​EAA service.
    • API Integration. Here you can modify your API authentication credentials.
  9. Go to the To Appand select Edit to enable operations for your group's endpoint.
  10. Enable Create, Update and Deactivate Users and select Save.
  11. Configure the Attribute mapping so that is consistent with default settings in EAA. Check if your SCIM app contains the same attributes as your SCIM directory in EAA.

    For default attributes see STEP 1.8.

    Your provisioning settings for your SCIM application are now configured. The following section provides you with the optional steps to set up alias provisioning in the Okta Admin portal.

STEP 5: Assign groups to your SCIM application in Okta

Follow these steps to assign users to your SCIM application.

How to

  1. Log in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.
  2. Go to Applications > Applications.
  3. Select the Assignments to assign individual users or groups. To assign a group select Groups.
  4. In the Assign SCIM app to Groups select Assign > Assign to Groups.
  5. In the Assign SCIM app to Groups search for a group you want to provision, and select Assign.
    In the Assign SCIM app to Groups you can provide additional information for the selected group. To continue select Save and Go Back
  6. Select Done.
    In the SCIM Assignment you can see the newly assigned group(s).
  7. Go to the Push Groups to push groups to ​EAA​ and enable group-based management.
  8. In thePush Groups > Find groups by name enter and select the name of your assigned group.
    The name of the selected group appears below.
  9. To add more groups select Save & Add Another, and repeat the previous step.
  10. To accept default settings and confirm the your group(s) select Save.
  11. For each of the selected groups, open the Push Status and select Push now to override the users and their privileges in EAA via immediate transfer from Okta.
    Note: If you get the error, "BadRequest - invalidSyntax: 'password' is not a valid SCIM attribute or has no mapping configured", please contact support at 1-877-4-AKATEC or support@akamai.com, or contact your account team.